VEN Compatibility Check
This topic explains how to use the VEN Compatibility Check feature after installing VENs on workloads.
About Compatibility Checks
When you pair a 19.3.x VEN or later release in the Idle state or change the VEN state to Idle, the VEN performs several compatibility checks and sends the results to the PCE. This process occurs every 24 hours and checks whether the preexisting workload state will have issues when the VEN is moved out of the Idle state.
After reviewing the results of the VEN Compatibility Check, you can determine if the VEN is ready to be moved out of the Idle state or whether you need to resolve any detected issues, such as backing up any system firewall rules.
Note
The VEN Compatibility Check is performed per-workload and is available only for VENs in the Idle state, not Visibility, Selective, or Full states. If a workload reverts from any of these states to the Idle policy state, the VEN Compatibility Check is performed.
All detected issues are categorized as:
Red: Major incompatibility detected
Yellow: A potential incompatibility detected
Green: No major incompatibilities detected
The Compatibility Check results are displayed in the PCE web console. To view the results:
Go to Workloads and click the name of the workload whose Compatibility Report you want to see.
Note
The workload must be in the Idle state for the Compatibility Report tab to appear (Edit > Enforcement > Idle then click Save.)
Click the Compatibility Report tab.
If no incompatibilities are detected on the VEN, the page displays "No Data to Display."
After viewing the results, you can export the report as a text file by clicking Export.
Beginning in 22.3.0-PCE, the Compatibility Report displays VEN packages that are required but are either missing or there's a problem with their installation. This information helps you troubleshoot a failed installation.
The compatibility checks vary by the workload's operating system.
Linux Operating Systems
Incompatibility Type | Reason for incompatibility with Illumio Core | Results |
|---|---|---|
IPv4 forwarding enabled | At least 1 iptables forwarding rule is detected in the forwarding chain. VEN removes existing iptables rules in the non-Idle policy state. | Yellow |
iptables rule count | At least 1 iptables filter rule is detected. VEN removes existing iptables rules in the non-Idle policy state. | Yellow |
IPv6 global scope enabled | IPv6 is enabled for the workload. | Yellow |
ip6tables rule count | At least 1 iptables filter rule is detected. VEN removes existing ip6tables rules in the Visibility policy state | Yellow |
IPsec service enabled | UDP port 500/4500 is in use by other services. Do not enable SecureConnect for the workload. | Red |
Routing table conflict | The StrongSwan routing table setting conflicts with existing networking routing tables. Do not enable SecureConnect for the workload. | Red |
Windows Workloads
Incompatibility Type | Reason for incompatibility with Illumio Core | Results |
|---|---|---|
IPv6 enabled | IPv6 is enabled for the workload. | Yellow |
Virtual loopback interfaces | Virtual loopback interface is detected. Untested and unsupported configuration. | Yellow |
Firewall GPO | Windows firewall Group Policy Object (GPO) is detected. For more information, see KB Article #3545 Firewall GPO Warning Under Compatibility Report (login required). | Yellow |
IPsec service enabled | IKEEXT service is disabled. Do not enable SecureConnect for the workload. | Yellow |
AIX and Solaris Workloads
Incompatibility Type | Reason for incompatibility with Illumio Core | Results |
|---|---|---|
IPv4 forwarding enabled | IPv4 is enabled for the workload. | Yellow |
iptables rule count | At least 1 iptables filter rule is detected. VEN removes existing iptables rules in the non-Idle policy state. | Yellow |
IPv6 global scope enabled | IPv6 is enabled for the workload. | Yellow |
ip6tables rule count | At least 1 iptables filter rule is detected. VEN removes existing ip6tables rules in the Visibility policy state | Yellow |
IPsec service enabled | IPsec service is already in use. Do not enable SecureConnect for the workload. | Red |
AIX Workloads only
Incompatibility Type | Reason for incompatibility with Illumio Core | Results |
|---|---|---|
IPv6 active connection count | Complementary check whether IPv6 global scope is enabled. |